Re: [PATCH v7 0/6] seccomp trap to userspace
On Sat, Sep 29, 2018 at 12:47 AM Michael Kerrisk (man-pages) wrote: > On Sat, 29 Sep 2018 at 00:35, Kees Cook wrote: > > On Fri, Sep 28, 2018 at 3:16 PM, Michael Kerrisk (man-pages) > > wrote: > > > On Sat, 29 Sep 2018 at 00:04, Tycho Andersen wrote: > > >> On Fri, Sep 28, 2018 at 11:57:40PM +0200, Michael Kerrisk (man-opages) > > >> wrote: > > >> > On 09/27/2018 05:11 PM, Tycho Andersen wrote: > > >> > > Here's v7 of the seccomp trap to userspace set. There are various > > >> > > minor > > >> > > changes and bug fixes, but two major changes: > > >> > > > > >> > > * We now pass fds to the tracee via an ioctl, and do it immediately > > >> > > when > > >> > >the ioctl is called. For this we needed some help from the vfs, so > > >> > >I've put the one patch in this series and cc'd fsdevel. This does > > >> > > have > > >> > >the advantage that the feature is now totally decoupled from the > > >> > > rest > > >> > >of the set, which is itself useful (thanks Andy!) > > >> > > > > >> > > * Instead of putting all of the notification related stuff into the > > >> > >struct seccomp_filter, it now lives in its own struct > > >> > > notification, > > >> > >which is pointed to by struct seccomp_filter. This will save a > > >> > > lot of > > >> > >memory (thanks Tyler!) > > >> > > > >> > Is there a documentation (man page) patch for this API change? > > >> > > >> Not yet, but once we decide on a final API I'll prepare one. > > > > > > Honestly, the production of such documentation should be part of the > > > evolution towards the final API... > > > > > > Documentation is not an afterthought. It's a tool for pushing you, the > > > developer (and others, your reviewers) to more deeply consider your > > > design. > > > > In Tycho's defense, he did write up documentation in Documentation/ > > for the feature, so it won't be an afterthought. :) > > So, I missed that... How do I find this Documentation/ ? It's in patch 1: https://lore.kernel.org/lkml/20180927151119.9989-2-ty...@tycho.ws/
Re: [PATCH v7 0/6] seccomp trap to userspace
On Sat, Sep 29, 2018 at 12:47 AM Michael Kerrisk (man-pages) wrote: > On Sat, 29 Sep 2018 at 00:35, Kees Cook wrote: > > On Fri, Sep 28, 2018 at 3:16 PM, Michael Kerrisk (man-pages) > > wrote: > > > On Sat, 29 Sep 2018 at 00:04, Tycho Andersen wrote: > > >> On Fri, Sep 28, 2018 at 11:57:40PM +0200, Michael Kerrisk (man-opages) > > >> wrote: > > >> > On 09/27/2018 05:11 PM, Tycho Andersen wrote: > > >> > > Here's v7 of the seccomp trap to userspace set. There are various > > >> > > minor > > >> > > changes and bug fixes, but two major changes: > > >> > > > > >> > > * We now pass fds to the tracee via an ioctl, and do it immediately > > >> > > when > > >> > >the ioctl is called. For this we needed some help from the vfs, so > > >> > >I've put the one patch in this series and cc'd fsdevel. This does > > >> > > have > > >> > >the advantage that the feature is now totally decoupled from the > > >> > > rest > > >> > >of the set, which is itself useful (thanks Andy!) > > >> > > > > >> > > * Instead of putting all of the notification related stuff into the > > >> > >struct seccomp_filter, it now lives in its own struct > > >> > > notification, > > >> > >which is pointed to by struct seccomp_filter. This will save a > > >> > > lot of > > >> > >memory (thanks Tyler!) > > >> > > > >> > Is there a documentation (man page) patch for this API change? > > >> > > >> Not yet, but once we decide on a final API I'll prepare one. > > > > > > Honestly, the production of such documentation should be part of the > > > evolution towards the final API... > > > > > > Documentation is not an afterthought. It's a tool for pushing you, the > > > developer (and others, your reviewers) to more deeply consider your > > > design. > > > > In Tycho's defense, he did write up documentation in Documentation/ > > for the feature, so it won't be an afterthought. :) > > So, I missed that... How do I find this Documentation/ ? It's in patch 1: https://lore.kernel.org/lkml/20180927151119.9989-2-ty...@tycho.ws/
Re: [PATCH v7 0/6] seccomp trap to userspace
Hi Kees, On Sat, 29 Sep 2018 at 00:35, Kees Cook wrote: > > On Fri, Sep 28, 2018 at 3:16 PM, Michael Kerrisk (man-pages) > wrote: > > Hi Tycho, > > > > On Sat, 29 Sep 2018 at 00:04, Tycho Andersen wrote: > >> > >> On Fri, Sep 28, 2018 at 11:57:40PM +0200, Michael Kerrisk (man-opages) > >> wrote: > >> > Hi Tycho, > >> > > >> > On 09/27/2018 05:11 PM, Tycho Andersen wrote: > >> > > Hi all, > >> > > > >> > > Here's v7 of the seccomp trap to userspace set. There are various minor > >> > > changes and bug fixes, but two major changes: > >> > > > >> > > * We now pass fds to the tracee via an ioctl, and do it immediately > >> > > when > >> > >the ioctl is called. For this we needed some help from the vfs, so > >> > >I've put the one patch in this series and cc'd fsdevel. This does > >> > > have > >> > >the advantage that the feature is now totally decoupled from the > >> > > rest > >> > >of the set, which is itself useful (thanks Andy!) > >> > > > >> > > * Instead of putting all of the notification related stuff into the > >> > >struct seccomp_filter, it now lives in its own struct notification, > >> > >which is pointed to by struct seccomp_filter. This will save a lot > >> > > of > >> > >memory (thanks Tyler!) > >> > > >> > Is there a documentation (man page) patch for this API change? > >> > >> Not yet, but once we decide on a final API I'll prepare one. > > > > Honestly, the production of such documentation should be part of the > > evolution towards the final API... > > > > Documentation is not an afterthought. It's a tool for pushing you, the > > developer (and others, your reviewers) to more deeply consider your > > design. > > In Tycho's defense, he did write up documentation in Documentation/ > for the feature, so it won't be an afterthought. :) So, I missed that... How do I find this Documentation/ ? > But yes, there's > no manpage delta yet. But, really, there should be, as part of the ongoing evolution of the patch... (Apologies, Tycho. It may be that I came across a bit harshly.) Thanks, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/
Re: [PATCH v7 0/6] seccomp trap to userspace
Hi Kees, On Sat, 29 Sep 2018 at 00:35, Kees Cook wrote: > > On Fri, Sep 28, 2018 at 3:16 PM, Michael Kerrisk (man-pages) > wrote: > > Hi Tycho, > > > > On Sat, 29 Sep 2018 at 00:04, Tycho Andersen wrote: > >> > >> On Fri, Sep 28, 2018 at 11:57:40PM +0200, Michael Kerrisk (man-opages) > >> wrote: > >> > Hi Tycho, > >> > > >> > On 09/27/2018 05:11 PM, Tycho Andersen wrote: > >> > > Hi all, > >> > > > >> > > Here's v7 of the seccomp trap to userspace set. There are various minor > >> > > changes and bug fixes, but two major changes: > >> > > > >> > > * We now pass fds to the tracee via an ioctl, and do it immediately > >> > > when > >> > >the ioctl is called. For this we needed some help from the vfs, so > >> > >I've put the one patch in this series and cc'd fsdevel. This does > >> > > have > >> > >the advantage that the feature is now totally decoupled from the > >> > > rest > >> > >of the set, which is itself useful (thanks Andy!) > >> > > > >> > > * Instead of putting all of the notification related stuff into the > >> > >struct seccomp_filter, it now lives in its own struct notification, > >> > >which is pointed to by struct seccomp_filter. This will save a lot > >> > > of > >> > >memory (thanks Tyler!) > >> > > >> > Is there a documentation (man page) patch for this API change? > >> > >> Not yet, but once we decide on a final API I'll prepare one. > > > > Honestly, the production of such documentation should be part of the > > evolution towards the final API... > > > > Documentation is not an afterthought. It's a tool for pushing you, the > > developer (and others, your reviewers) to more deeply consider your > > design. > > In Tycho's defense, he did write up documentation in Documentation/ > for the feature, so it won't be an afterthought. :) So, I missed that... How do I find this Documentation/ ? > But yes, there's > no manpage delta yet. But, really, there should be, as part of the ongoing evolution of the patch... (Apologies, Tycho. It may be that I came across a bit harshly.) Thanks, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/
Re: [PATCH v7 0/6] seccomp trap to userspace
On Fri, Sep 28, 2018 at 3:16 PM, Michael Kerrisk (man-pages) wrote: > Hi Tycho, > > On Sat, 29 Sep 2018 at 00:04, Tycho Andersen wrote: >> >> On Fri, Sep 28, 2018 at 11:57:40PM +0200, Michael Kerrisk (man-opages) wrote: >> > Hi Tycho, >> > >> > On 09/27/2018 05:11 PM, Tycho Andersen wrote: >> > > Hi all, >> > > >> > > Here's v7 of the seccomp trap to userspace set. There are various minor >> > > changes and bug fixes, but two major changes: >> > > >> > > * We now pass fds to the tracee via an ioctl, and do it immediately when >> > >the ioctl is called. For this we needed some help from the vfs, so >> > >I've put the one patch in this series and cc'd fsdevel. This does have >> > >the advantage that the feature is now totally decoupled from the rest >> > >of the set, which is itself useful (thanks Andy!) >> > > >> > > * Instead of putting all of the notification related stuff into the >> > >struct seccomp_filter, it now lives in its own struct notification, >> > >which is pointed to by struct seccomp_filter. This will save a lot of >> > >memory (thanks Tyler!) >> > >> > Is there a documentation (man page) patch for this API change? >> >> Not yet, but once we decide on a final API I'll prepare one. > > Honestly, the production of such documentation should be part of the > evolution towards the final API... > > Documentation is not an afterthought. It's a tool for pushing you, the > developer (and others, your reviewers) to more deeply consider your > design. In Tycho's defense, he did write up documentation in Documentation/ for the feature, so it won't be an afterthought. :) But yes, there's no manpage delta yet. -Kees -- Kees Cook Pixel Security
Re: [PATCH v7 0/6] seccomp trap to userspace
On Fri, Sep 28, 2018 at 3:16 PM, Michael Kerrisk (man-pages) wrote: > Hi Tycho, > > On Sat, 29 Sep 2018 at 00:04, Tycho Andersen wrote: >> >> On Fri, Sep 28, 2018 at 11:57:40PM +0200, Michael Kerrisk (man-opages) wrote: >> > Hi Tycho, >> > >> > On 09/27/2018 05:11 PM, Tycho Andersen wrote: >> > > Hi all, >> > > >> > > Here's v7 of the seccomp trap to userspace set. There are various minor >> > > changes and bug fixes, but two major changes: >> > > >> > > * We now pass fds to the tracee via an ioctl, and do it immediately when >> > >the ioctl is called. For this we needed some help from the vfs, so >> > >I've put the one patch in this series and cc'd fsdevel. This does have >> > >the advantage that the feature is now totally decoupled from the rest >> > >of the set, which is itself useful (thanks Andy!) >> > > >> > > * Instead of putting all of the notification related stuff into the >> > >struct seccomp_filter, it now lives in its own struct notification, >> > >which is pointed to by struct seccomp_filter. This will save a lot of >> > >memory (thanks Tyler!) >> > >> > Is there a documentation (man page) patch for this API change? >> >> Not yet, but once we decide on a final API I'll prepare one. > > Honestly, the production of such documentation should be part of the > evolution towards the final API... > > Documentation is not an afterthought. It's a tool for pushing you, the > developer (and others, your reviewers) to more deeply consider your > design. In Tycho's defense, he did write up documentation in Documentation/ for the feature, so it won't be an afterthought. :) But yes, there's no manpage delta yet. -Kees -- Kees Cook Pixel Security
Re: [PATCH v7 0/6] seccomp trap to userspace
Hi Tycho, On Sat, 29 Sep 2018 at 00:04, Tycho Andersen wrote: > > On Fri, Sep 28, 2018 at 11:57:40PM +0200, Michael Kerrisk (man-opages) wrote: > > Hi Tycho, > > > > On 09/27/2018 05:11 PM, Tycho Andersen wrote: > > > Hi all, > > > > > > Here's v7 of the seccomp trap to userspace set. There are various minor > > > changes and bug fixes, but two major changes: > > > > > > * We now pass fds to the tracee via an ioctl, and do it immediately when > > >the ioctl is called. For this we needed some help from the vfs, so > > >I've put the one patch in this series and cc'd fsdevel. This does have > > >the advantage that the feature is now totally decoupled from the rest > > >of the set, which is itself useful (thanks Andy!) > > > > > > * Instead of putting all of the notification related stuff into the > > >struct seccomp_filter, it now lives in its own struct notification, > > >which is pointed to by struct seccomp_filter. This will save a lot of > > >memory (thanks Tyler!) > > > > Is there a documentation (man page) patch for this API change? > > Not yet, but once we decide on a final API I'll prepare one. Honestly, the production of such documentation should be part of the evolution towards the final API... Documentation is not an afterthought. It's a tool for pushing you, the developer (and others, your reviewers) to more deeply consider your design. Thanks, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/
Re: [PATCH v7 0/6] seccomp trap to userspace
Hi Tycho, On Sat, 29 Sep 2018 at 00:04, Tycho Andersen wrote: > > On Fri, Sep 28, 2018 at 11:57:40PM +0200, Michael Kerrisk (man-opages) wrote: > > Hi Tycho, > > > > On 09/27/2018 05:11 PM, Tycho Andersen wrote: > > > Hi all, > > > > > > Here's v7 of the seccomp trap to userspace set. There are various minor > > > changes and bug fixes, but two major changes: > > > > > > * We now pass fds to the tracee via an ioctl, and do it immediately when > > >the ioctl is called. For this we needed some help from the vfs, so > > >I've put the one patch in this series and cc'd fsdevel. This does have > > >the advantage that the feature is now totally decoupled from the rest > > >of the set, which is itself useful (thanks Andy!) > > > > > > * Instead of putting all of the notification related stuff into the > > >struct seccomp_filter, it now lives in its own struct notification, > > >which is pointed to by struct seccomp_filter. This will save a lot of > > >memory (thanks Tyler!) > > > > Is there a documentation (man page) patch for this API change? > > Not yet, but once we decide on a final API I'll prepare one. Honestly, the production of such documentation should be part of the evolution towards the final API... Documentation is not an afterthought. It's a tool for pushing you, the developer (and others, your reviewers) to more deeply consider your design. Thanks, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/
Re: [PATCH v7 0/6] seccomp trap to userspace
On Fri, Sep 28, 2018 at 11:57:40PM +0200, Michael Kerrisk (man-opages) wrote: > Hi Tycho, > > On 09/27/2018 05:11 PM, Tycho Andersen wrote: > > Hi all, > > > > Here's v7 of the seccomp trap to userspace set. There are various minor > > changes and bug fixes, but two major changes: > > > > * We now pass fds to the tracee via an ioctl, and do it immediately when > >the ioctl is called. For this we needed some help from the vfs, so > >I've put the one patch in this series and cc'd fsdevel. This does have > >the advantage that the feature is now totally decoupled from the rest > >of the set, which is itself useful (thanks Andy!) > > > > * Instead of putting all of the notification related stuff into the > >struct seccomp_filter, it now lives in its own struct notification, > >which is pointed to by struct seccomp_filter. This will save a lot of > >memory (thanks Tyler!) > > Is there a documentation (man page) patch for this API change? Not yet, but once we decide on a final API I'll prepare one. Cheers, Tycho
Re: [PATCH v7 0/6] seccomp trap to userspace
On Fri, Sep 28, 2018 at 11:57:40PM +0200, Michael Kerrisk (man-opages) wrote: > Hi Tycho, > > On 09/27/2018 05:11 PM, Tycho Andersen wrote: > > Hi all, > > > > Here's v7 of the seccomp trap to userspace set. There are various minor > > changes and bug fixes, but two major changes: > > > > * We now pass fds to the tracee via an ioctl, and do it immediately when > >the ioctl is called. For this we needed some help from the vfs, so > >I've put the one patch in this series and cc'd fsdevel. This does have > >the advantage that the feature is now totally decoupled from the rest > >of the set, which is itself useful (thanks Andy!) > > > > * Instead of putting all of the notification related stuff into the > >struct seccomp_filter, it now lives in its own struct notification, > >which is pointed to by struct seccomp_filter. This will save a lot of > >memory (thanks Tyler!) > > Is there a documentation (man page) patch for this API change? Not yet, but once we decide on a final API I'll prepare one. Cheers, Tycho
Re: [PATCH v7 0/6] seccomp trap to userspace
Hi Tycho, On 09/27/2018 05:11 PM, Tycho Andersen wrote: Hi all, Here's v7 of the seccomp trap to userspace set. There are various minor changes and bug fixes, but two major changes: * We now pass fds to the tracee via an ioctl, and do it immediately when the ioctl is called. For this we needed some help from the vfs, so I've put the one patch in this series and cc'd fsdevel. This does have the advantage that the feature is now totally decoupled from the rest of the set, which is itself useful (thanks Andy!) * Instead of putting all of the notification related stuff into the struct seccomp_filter, it now lives in its own struct notification, which is pointed to by struct seccomp_filter. This will save a lot of memory (thanks Tyler!) Is there a documentation (man page) patch for this API change? Thanks, Michael v6 discussion: https://lkml.org/lkml/2018/9/6/769 Thoughts welcome, Tycho Tycho Andersen (6): seccomp: add a return code to trap to userspace seccomp: make get_nth_filter available outside of CHECKPOINT_RESTORE seccomp: add a way to get a listener fd from ptrace files: add a replace_fd_files() function seccomp: add a way to pass FDs via a notification fd samples: add an example of seccomp user trap Documentation/ioctl/ioctl-number.txt | 1 + .../userspace-api/seccomp_filter.rst | 89 +++ fs/file.c | 22 +- include/linux/file.h | 8 + include/linux/seccomp.h | 14 +- include/uapi/linux/ptrace.h | 2 + include/uapi/linux/seccomp.h | 42 +- kernel/ptrace.c | 4 + kernel/seccomp.c | 527 ++- samples/seccomp/.gitignore| 1 + samples/seccomp/Makefile | 7 +- samples/seccomp/user-trap.c | 312 + tools/testing/selftests/seccomp/seccomp_bpf.c | 607 +- 13 files changed, 1617 insertions(+), 19 deletions(-) create mode 100644 samples/seccomp/user-trap.c
Re: [PATCH v7 0/6] seccomp trap to userspace
Hi Tycho, On 09/27/2018 05:11 PM, Tycho Andersen wrote: Hi all, Here's v7 of the seccomp trap to userspace set. There are various minor changes and bug fixes, but two major changes: * We now pass fds to the tracee via an ioctl, and do it immediately when the ioctl is called. For this we needed some help from the vfs, so I've put the one patch in this series and cc'd fsdevel. This does have the advantage that the feature is now totally decoupled from the rest of the set, which is itself useful (thanks Andy!) * Instead of putting all of the notification related stuff into the struct seccomp_filter, it now lives in its own struct notification, which is pointed to by struct seccomp_filter. This will save a lot of memory (thanks Tyler!) Is there a documentation (man page) patch for this API change? Thanks, Michael v6 discussion: https://lkml.org/lkml/2018/9/6/769 Thoughts welcome, Tycho Tycho Andersen (6): seccomp: add a return code to trap to userspace seccomp: make get_nth_filter available outside of CHECKPOINT_RESTORE seccomp: add a way to get a listener fd from ptrace files: add a replace_fd_files() function seccomp: add a way to pass FDs via a notification fd samples: add an example of seccomp user trap Documentation/ioctl/ioctl-number.txt | 1 + .../userspace-api/seccomp_filter.rst | 89 +++ fs/file.c | 22 +- include/linux/file.h | 8 + include/linux/seccomp.h | 14 +- include/uapi/linux/ptrace.h | 2 + include/uapi/linux/seccomp.h | 42 +- kernel/ptrace.c | 4 + kernel/seccomp.c | 527 ++- samples/seccomp/.gitignore| 1 + samples/seccomp/Makefile | 7 +- samples/seccomp/user-trap.c | 312 + tools/testing/selftests/seccomp/seccomp_bpf.c | 607 +- 13 files changed, 1617 insertions(+), 19 deletions(-) create mode 100644 samples/seccomp/user-trap.c
[PATCH v7 0/6] seccomp trap to userspace
Hi all, Here's v7 of the seccomp trap to userspace set. There are various minor changes and bug fixes, but two major changes: * We now pass fds to the tracee via an ioctl, and do it immediately when the ioctl is called. For this we needed some help from the vfs, so I've put the one patch in this series and cc'd fsdevel. This does have the advantage that the feature is now totally decoupled from the rest of the set, which is itself useful (thanks Andy!) * Instead of putting all of the notification related stuff into the struct seccomp_filter, it now lives in its own struct notification, which is pointed to by struct seccomp_filter. This will save a lot of memory (thanks Tyler!) v6 discussion: https://lkml.org/lkml/2018/9/6/769 Thoughts welcome, Tycho Tycho Andersen (6): seccomp: add a return code to trap to userspace seccomp: make get_nth_filter available outside of CHECKPOINT_RESTORE seccomp: add a way to get a listener fd from ptrace files: add a replace_fd_files() function seccomp: add a way to pass FDs via a notification fd samples: add an example of seccomp user trap Documentation/ioctl/ioctl-number.txt | 1 + .../userspace-api/seccomp_filter.rst | 89 +++ fs/file.c | 22 +- include/linux/file.h | 8 + include/linux/seccomp.h | 14 +- include/uapi/linux/ptrace.h | 2 + include/uapi/linux/seccomp.h | 42 +- kernel/ptrace.c | 4 + kernel/seccomp.c | 527 ++- samples/seccomp/.gitignore| 1 + samples/seccomp/Makefile | 7 +- samples/seccomp/user-trap.c | 312 + tools/testing/selftests/seccomp/seccomp_bpf.c | 607 +- 13 files changed, 1617 insertions(+), 19 deletions(-) create mode 100644 samples/seccomp/user-trap.c -- 2.17.1
[PATCH v7 0/6] seccomp trap to userspace
Hi all, Here's v7 of the seccomp trap to userspace set. There are various minor changes and bug fixes, but two major changes: * We now pass fds to the tracee via an ioctl, and do it immediately when the ioctl is called. For this we needed some help from the vfs, so I've put the one patch in this series and cc'd fsdevel. This does have the advantage that the feature is now totally decoupled from the rest of the set, which is itself useful (thanks Andy!) * Instead of putting all of the notification related stuff into the struct seccomp_filter, it now lives in its own struct notification, which is pointed to by struct seccomp_filter. This will save a lot of memory (thanks Tyler!) v6 discussion: https://lkml.org/lkml/2018/9/6/769 Thoughts welcome, Tycho Tycho Andersen (6): seccomp: add a return code to trap to userspace seccomp: make get_nth_filter available outside of CHECKPOINT_RESTORE seccomp: add a way to get a listener fd from ptrace files: add a replace_fd_files() function seccomp: add a way to pass FDs via a notification fd samples: add an example of seccomp user trap Documentation/ioctl/ioctl-number.txt | 1 + .../userspace-api/seccomp_filter.rst | 89 +++ fs/file.c | 22 +- include/linux/file.h | 8 + include/linux/seccomp.h | 14 +- include/uapi/linux/ptrace.h | 2 + include/uapi/linux/seccomp.h | 42 +- kernel/ptrace.c | 4 + kernel/seccomp.c | 527 ++- samples/seccomp/.gitignore| 1 + samples/seccomp/Makefile | 7 +- samples/seccomp/user-trap.c | 312 + tools/testing/selftests/seccomp/seccomp_bpf.c | 607 +- 13 files changed, 1617 insertions(+), 19 deletions(-) create mode 100644 samples/seccomp/user-trap.c -- 2.17.1
